It seems that many organisations have difficulties when securing their backend storage solutions using the cloud 'Simple Storage Solution' (known as S3) service offered by Amazon Web Services (AWS). For years now there have been numerous reports of buckets (think folders from a computer perspective) containing HIGHLY sensitive information being left wide open on the public internet for anyone to find. This is clearly EXTREMELY alarming, as people have trusted these organisations to keep their data safe, and these organisations today this trust by giving it all out freely! A few have recently been disclosed which include leaking birth certificates, important internal company information and personal information which have probably caused the victims no end of stress 😔.\n\nTechCrunch: Over 750,000 Applications for US Birth Certificate Copies Exposed Online\n\nThreatPost: GE, Dunkin’, Forever 21 Caught Up in Broad Internal Document Leak\n\nTNW: Open AWS Database Leaks PayMyTab Customers’ Personal Info\n\nI don't want to saturate this post with breach links, and you can find more if you just search for "aws s3 hack" or "aws s3 breach" (remember to include the quotes to help your chosen search engine). These span years, so be ready to pick your chin up off the floor 🤣! It truly is surprising that so many organisations can get this wrong, and clearly the assumptions made by organisations have been misguided for this to continually happen. Finding these buckets is so easy for an attacker, it can be automated allowing them to go and make themselves a brew ☕. You just scan storage servers for open buckets and steal the data when you find them 😬!\n\nsa7mon: S3Scanner\n\nThe Daily Swig: New Tool Helps You Find Open Amazon S3 Buckets\n\nFull disclosure, I use AWS for my site and am all-too-familiar with AWS S3 having administered them and losing sleep at night obsessing about the permissions set up on my buckets. I've also set up access for applications to my buckets and have had the ABSOLUTE PLEASURE of beating my head against my desk trying to get my apps to talk to them 🤣! From all of this, (to Amazon's credit) I do know that AWS S3 dashboard SCREAMS AT YOU when buckets are public, and when you create new buckets, the default selection is private. Amazon even give you the option prevent buckets from being made publicly available (link below, which when I found I SWIFTLY USED MY GOSH 😱). When your buckets are private, you can apply finely-grained user and role-based access control (e.g. read and/or write and/or create and/or list etc.) to significantly limit what accessors can do. You can also revoke access to any user at any time. The toolset is comprehensive and very mature.\n\nAWS: Using Amazon S3 Block Public Access\n\nLady happy that AWS S3 buckets have lots of security options\n\nBy the way, I'm not victim blaming when I write all of this. There are A LOT of tools that Amazon offers and it can be extremely difficult to get your head around it all. The documentation is VERY detailed, but there is A LOT of it, so it is hard to get that fuller picture that you need. Amazon themselves admit to the issue and say that if they were to start again, they'd have split S3 into separate private and public services to make it easier for users to understand. They've even released an official analyser tool to help 🧐🤔!\n\nWe’d Change AWS S3 Bucket Security if We Had “A Time Machine”: AWS Director\n\nAWS Has New Tool for Those Leaky S3 Buckets so, Yeah, You Might Need to Reconfigure a Few Things\n\nFrom a developer point of view, I know just how difficult and time consuming it is to try and get security correct, with all the standards to read, code you have to write, defensive checks you have to make and sheer amount of tests you have to author. It's important that we do our best to secure our data and use all the tools available to us. I would also recommend at the very least enabling encryption at rest when creating your S3 buckets to secure your data on disk. Also if possible, use application client-side encryption so that if your files were (somehow 🤷♂️) exposed to the internet 😲🤮, they would be almost impossible to read due to people not possessing the decryption key 🥴.\n\nAWS: Protecting Data Using Client-Side Encryption\n\nSoftware developer putting in numerous defensive checks for secure applications\n\nI'll leave this post by saying that this isn't a uniquely AWS S3 or even cloud storage problem, as mistakes including publicly allowing directory listing, along with broken authentication, application vulnerabilities, firewall misconfigurations and web server errors can lead to similar results and splitting headaches 🤦. This shows that we need to be mindful of our infrastructure and the tools that we use. Check, check and check again.\n\nTake care and all the best. Si.